b'OFFICE OF INSPECTOR GENERAL\n\n               Audit Report\nFiscal Year 2008 Evaluation of Information Security\n       at the Railroad Retirement Board\n\n\n                Report No. 08-05\n               September 30, 2008\n\n\n\n\n   RAILROAD RETIREMENT BOARD\n\x0c                                  INTRODUCTION\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) evaluation\nof information security at the Railroad Retirement Board (RRB).\n\nBackground\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad\nRetirement Act (RRA) and the Railroad Unemployment Insurance Act (RUIA).\nThese programs provide income protection during old age and in the event of\ndisability, death, temporary unemployment or sickness. The RRB paid over $9.8\nbillion in benefits during fiscal year (FY) 2007. The RRB is headquartered in\nChicago, Illinois and has 53 Field Offices across the nation.\n\nThe RRB\xe2\x80\x99s information system environment consists of six major application\nsystems and two general support systems, each of which has been designated as a\nmoderate impact system in accordance with standards and guidance promulgated\nby the National Institute of Standards and Technology (NIST). The major application\nsystems correspond to the RRB\xe2\x80\x99s critical operational activities, including RRA benefit\npayments, RUIA benefit payments, maintenance of railroad employees\xe2\x80\x99 service and\ncompensation records, administration of Medicare entitlement, financial\nmanagement, and the RRB\xe2\x80\x99s financial interchange with the Social Security\nAdministration. The two general support systems comprise the mainframe computer\nand the local area network/personal computer (LAN/PC) systems.\n\nThis evaluation was conducted pursuant to Title III of the E-Government Act of 2002,\nthe Federal Information Security Management Act of 2002 (FISMA), which requires\nannual agency program reviews, Inspector General security evaluations, an annual\nagency report to the Office of Management and Budget (OMB), and an annual OMB\nreport to Congress. FISMA also establishes minimum requirements for the\nmanagement of information security in nine areas.\n\n     \xc2\xbe   Risk Assessment\n     \xc2\xbe   Policies and Procedures\n     \xc2\xbe   Testing and Evaluation\n     \xc2\xbe   Training\n     \xc2\xbe   Security Plans\n     \xc2\xbe   Remedial Action Process\n     \xc2\xbe   Incident Handling and Reporting\n     \xc2\xbe   Continuity of Operations\n     \xc2\xbe   Inventory of Systems\n\nInformation security means protecting information and information systems from\nunauthorized access, use, disclosure, disruption, modification or destruction in order\nto provide confidentiality, integrity, and availability. An information system is a\n\n\n                                           1\n\x0c\xe2\x80\x9cdiscrete set of information resources organized for the collection, processing,\nmaintenance, use, sharing, dissemination, or disposition of information. Information\nresources include information and related resources, such as personnel, equipment,\nfunds, and information technology.\xe2\x80\x9d 1\n\nThe OIG previously evaluated information security at the RRB during FYs 2000\nthrough 2007, and reported weaknesses throughout the RRB\xe2\x80\x99s information security\nprogram. 2 The OIG also cited the agency with significant deficiencies in access\ncontrols in the mainframe and LAN/PC environments, as well as delays in meeting\nFISMA requirements for both risk assessments and periodic testing and evaluation.\n\nThe Bureau of Information Services (BIS), under the direction of the Chief\nInformation Officer is responsible for the RRB\xe2\x80\x99s information security and privacy\nprograms. FISMA requires agencies to report any significant deficiency as a\nmaterial weakness under the Federal Managers\xe2\x80\x99 Financial Integrity Act. 3\n\nObjective, Scope and Methodology\n\nThis evaluation was performed to meet FISMA requirements for an annual OIG\nevaluation of information security during FY 2008. Our evaluation included:\n\n      1. testing the effectiveness of information security policies, procedures, and\n         practices of a representative subset of the agency\xe2\x80\x99s information systems; and\n\n      2. assessing the RRB\xe2\x80\x99s compliance with FISMA requirements and related\n         information security policies, procedures, standards, and guidelines.\n\nTo meet the first requirement, the OIG audited application controls in the Financial\nInterchange major application in accordance with NIST Special Publication (SP)\n800-53 guidance. 4 We began an audit of the Financial Management major\napplication in accordance with the Government Accountability Office (GAO) Federal\nInformation System Controls Audit Manual (FISCAM), GAO/AIMD-12.19.6. We also\nperformed ongoing reviews of the agency\xe2\x80\x99s significant deficiency in access control\nby conducting penetration tests of agency servers.\n\n\n1\n  NIST Federal Information Processing Standards Publication 200, \xe2\x80\x9cMinimum Security Requirements\nfor Federal Information and Information Systems.\xe2\x80\x9d\n2\n    OIG audit reports are maintained on the RRB website at http://www.rrb.gov/oig/library.asp.\n3\n  A significant deficiency is a weakness in an agency\xe2\x80\x99s overall information systems security program,\nmanagement control structure, or within one or more information systems that significantly restricts\nthe capability of the agency to carry out its mission or compromises the security of its information,\ninformation systems, personnel, or other resources, operations, or assets.\n4\n  FISMA establishes minimum security requirements for all agency operations and assets. These\nrequirements are listed in NIST SP 800-53.\n\n\n                                                    2\n\x0cTo meet the second requirement, we considered the results of prior audits and\nevaluations of information security during FYs 2000 through 2007, including the\nstatus of related recommendations for corrective action. We also obtained and\nreviewed documentation supporting the RRB\xe2\x80\x99s performance in meeting FISMA\nrequirements and interviewed responsible agency management and staff. Lastly,\nwe examined documentation related to the RRB\xe2\x80\x99s Medicare contractor operations to\ndetermine whether controls were designed to meet FISMA requirements. Our tests\nof contractor operations did not include an assessment of whether the controls were\noperating or effective.\n\nThe primary criteria for this evaluation included:\n\n   \xe2\x80\xa2   FISMA requirements;\n   \xe2\x80\xa2   OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information Resources\xe2\x80\x9d;\n   \xe2\x80\xa2   OMB memoranda;\n   \xe2\x80\xa2   NIST standards and guidance; and\n   \xe2\x80\xa2   GAO FISCAM.\n\nOur work was performed in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings\nand conclusions based on our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives. Fieldwork was conducted at RRB headquarters in Chicago, Illinois\nfrom May through September 2008.\n\n\n\n\n                                           3\n\x0c                                 RESULTS OF EVALUATION\n\nThe RRB has not yet achieved an effective FISMA compliant security program. The\nagency is addressing its significant deficiencies in the previously reported areas of\naccess controls, risk assessments, and periodic testing and evaluation; however,\nmuch work remains to be completed.\n\nPreviously identified weaknesses in the areas of risk based policies and procedures,\na NIST compliant certification and accreditation program, the identification of\ncontractors, an effective remedial action process, the continuity of operations, and\nthe inventory of systems continue to exist. During our FY 2008 evaluation, we also\nobserved weaknesses in the agency\xe2\x80\x99s implementation of timely, NIST compliant,\nsystem security plans, and in the identification and training of temporary employees.\n\nThe details of our assessment of agency progress in complying with FISMA\nrequirements and a summary of the weaknesses identified during our FY 2008\nevaluations, including recommendations for corrective action, follow. Agency\nmanagement has agreed to take the recommended corrective action for all\nrecommendations except Recommendation 3 for which they are seeking legal\ncounsel. The full text of managements\xe2\x80\x99 response is included in this report as\nAppendices I and II.\n\nCertification and Accreditation\n\nThe RRB has not yet implemented a NIST compliant certification and accreditation\nprogram. 5 The OIG cited the RRB with this deficiency in FY 2003. We found that\nexisting agency procedures for authorizing the processing of information systems\nwere not adequate to meet NIST requirements because they did not place\nresponsibility at a high enough level of agency management and were not supported\nby adequate risk assessment and testing processes.\n\nOMB Circular A-130, Appendix III requires that agency management authorize\nsystems for processing based on the formal technical evaluation of the\nmanagement, operational, and technical controls. This authorization should occur at\nleast every three years or when there has been a significant change to the system.\nNIST SP 800-37 provides that security accreditation should be given by a senior\nagency official who has authority to oversee the budget and business operations of\nthe information system.\n\nAgency management rejected the OIG\xe2\x80\x99s recommendation to develop a formal\ncertification and accreditation process when it was first offered in FY 2003, but\nagreed to implement the recommendation when it was again offered in FY 2004. 6\n\n5\n The terms certification and accreditation are synonymous with the formal technical evaluation of the\ncontrols and the authorization of the information system for processing, respectively.\n6\n    OIG Report No. 03-10, Recommendation 6.\n\n\n                                                  4\n\x0cThat recommendation is pending corrective action. Elsewhere in this report we\ndiscuss the significant deficiencies in the RRB\xe2\x80\x99s risk assessment and testing and\nevaluation processes which are critical elements of certification and accreditation.\n\nDuring FYs 2007 and 2008, the agency contracted with technical specialists to assist\nin the certification and accreditation of the RRB\xe2\x80\x99s two general support systems and\nfive of the six major applications. The contract includes the preparation of risk\nassessments, updated security plans, security testing and evaluations, and a Plan of\nAction and Milestones (POAM) for each system reviewed. As of August 2008, only\nthe LAN/PC general support system had been fully certified and accredited. The\ncertification and accreditation of the mainframe general support system and five\nmajor applications are currently in progress; certification and accreditation of the\nsixth major application has not been scheduled.\n\nOur evaluation also disclosed that the Financial Management major application\nsystem was not included in the RRB\xe2\x80\x99s certification and accreditation initiative\nbecause of a pending government-wide financial management modernization\nproject. That project, the Financial Management Line of Business, will require most\nFederal agencies to migrate their financial management activities to a shared\nservice provider. While the RRB has budgeted for a feasibility study during\nFY 2010, it has not established a date for early implementation of a new system\nwhich OMB requires by September 2016. Excluded from the agency-wide effort, the\nfinancial management major application could operate for up to eight years without\nbeing certified and accredited.\n\nWithout a formal, NIST compliant, certification and accreditation of all of its major\napplications, the RRB cannot ensure that the information system is operating at an\nacceptable level of risk to agency operations, assets, or individuals.\n\nRecommendation\n\n   1. We recommend that the Bureau of Fiscal Operations ensure that a formal,\n      NIST compliant, certification and accreditation of the Financial Management\n      major application is performed.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Fiscal Operations has agreed to request funding for a certification\nand accreditation of the Financial Management major application.\n\n\n\n\n OIG Report No. 04-11, Recommendation 9.\n\n\n\n                                           5\n\x0cAccess Control\n\nThe design and implementation of access controls in the RRB\xe2\x80\x99s general support and\napplication systems is not adequate to meet minimum standards of least privilege\nestablished by OMB Circular A-130, Appendix III. Least privilege is the practice of\nrestricting a user\xe2\x80\x99s access or type of access to the minimum necessary to perform\nhis or her job.\n\nIn our FY 2001 evaluation of information security (and confirmed by technical\nspecialists under contract to the OIG), we cited the agency with a significant\ndeficiency in access control and made several recommendations. Since that time,\nadditional recommendations have been made. As of September 4, 2008, the\nagency has 14 open audit recommendations dealing with access control. 7\n\nOur FY 2008 assessment of information security in the Financial Interchange major\napplication identified access and sharing permissions that do not restrict the financial\ninterchange files and folders in a manner consistent with the principle of least\nprivilege. We also reported that individuals with high-level privileges and non-unique\nidentification and passwords compromise accountability and access control. Based\non our review, we made three additional recommendations in the area of access\ncontrol.\n\nOur ongoing reviews of the agency\xe2\x80\x99s significant deficiency in access control through\npenetration tests of agency servers also disclosed poor security configurations that\nallowed access to unauthorized users. The results of these reviews were\ncommunicated to agency management through separate memoranda and agency\nofficials have taken actions to address the weaknesses.\n\nExcessive rights and privileges weaken the overall information security program.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\n\n\n7\n    OIG Report No. 02-04, Recommendations 13, 20 and 21.\n    Blackbird Technologies, Inc. Report dated 07/20/01, Recommendation 5.\n    OIG Report No. 04-08, Recommendation 1.\n    OIG Report No. 05-08, Recommendations 10 and 11.\n    DSD LAN Report dated 06/07/05, Recommendations 6, 7, 8 and 9.\n    DSD SCAN Report dated 06/07/05, Recommendation 6.\n    DSD WEB Report dated 06/07/05, Recommendation 16.\n    OIG Report No. 07-08, Recommendation 1.\n\n\n\n                                                  6\n\x0cRisk Assessment\n\nThe RRB has not implemented an effective risk assessment process including\ndocumentation of agency determinations regarding risk. Organizations use risk\nassessments to determine the potential threats to information and information\nsystems and to ensure that the greatest risks have been identified and addressed.\n\nFISMA requires Federal agencies to periodically assess the risk and magnitude of\nharm that could result from unauthorized access, use, disclosure, disruption,\nmodification, or destruction of information or information systems. NIST SP 800-30,\n\xe2\x80\x9cRisk Management Guide for Information Technology Systems,\xe2\x80\x9d presents a risk\nassessment methodology agencies can use when performing their periodic\nassessments.\n\nIn FY 2005, we cited the agency with a significant deficiency because the agency\nhad made little progress in implementing a formal risk assessment process in\naccordance with NIST guidance. We also recommended that the agency complete\nformal, NIST compliant, risk assessments of the major application and general\nsupport systems. 8 That recommendation is pending corrective action.\n\nDuring FYs 2007 and 2008, the agency contracted with technical specialists to assist\nin the certification and accreditation of the RRB\xe2\x80\x99s major applications and general\nsupport systems. This contract included the preparation of formally documented,\nNIST compliant, risk assessments. As of August 2008, only one risk assessment for\nthe RRB\xe2\x80\x99s LAN/PC general support system had been finalized. Draft risk\nassessments have been prepared for most of the other information systems under\nthe contract for certification and accreditation.\n\nOur review of the LAN\xe2\x80\x99s risk assessment document showed that the contractor had\ncompleted the risk assessment in accordance with NIST guidance; however, we\nnoted some weaknesses in the final product, particularly in the description of the\nsystem environment and in the control analysis for system backups. We attribute\nthese weaknesses to an ineffective review process of contractor deliverables\nperformed by BIS. As a result, the effectiveness of the certification and accreditation\nprocess and the information security program as a whole is undermined.\n\nRecommendation\n\n      2. We recommend that the Bureau of Information Services review and update\n         the LAN/PC general support system\xe2\x80\x99s risk assessment to accurately reflect\n         the current RRB system environment and control analysis.\n\n\n\n\n8\n    OIG Report No. 05-08, Recommendation 4.\n\n\n\n                                              7\n\x0cManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs with this recommendation and will\nadjust the risk assessment to compliment the current environment.\n\n\nTesting and Evaluation\n\nThe RRB has not yet implemented a consistent, FISMA compliant, testing and\nevaluation process.\n\nFISMA requires periodic testing and evaluation of the effectiveness of information\nsecurity policies, procedures, and practices performed with a frequency depending\non risk, but no less than annually. The periodic tests and evaluation must include\ntesting of management, operational and technical controls for every system\nidentified in the agency\xe2\x80\x99s inventory of systems, including contractor operations.\nNIST SP 800-53A, \xe2\x80\x9cGuide for Assessing the Security Controls in Federal Information\nSystems,\xe2\x80\x9d provides procedures for assessing the effectiveness of security controls\nemployed in Federal information systems and directly supports the security\ncertification and accreditation process.\n\nThe OIG previously reported that RRB tests did not meet FISMA requirements\nbecause they did not include all major application systems and were not\ncomprehensive with respect to all three categories of controls: management,\noperational, and technical. We recommended that management act to ensure\nperiodic independent evaluations of system security for major applications, as well\nas the quality of security self-assessments. 9\n\nThe OIG\xe2\x80\x99s FY 2005 FISMA evaluation cited the RRB with a significant deficiency in\nits testing and evaluation program because the agency had made little progress in\nimplementing a compliant periodic testing and evaluation process. In FY 2007, we\nreported agency efforts to perform NIST compliant tests of certain common controls\nwere not fully effective because testing did not extend to RRB offices outside of\nheadquarters. We recommended that agency test and evaluation plans be extended\nto include these other offices. 10\n\nDuring FY 2007, the RRB completed the certification and accreditation process for\nits LAN/PC general support system, but did not provide for subsequent testing and\nevaluation during FY 2008. BIS advised us that their FY 2008 testing had been\nlimited to vulnerability scans to verify correction of weaknesses identified in the prior\n\n\n9\n    OIG Report No. 02-04, Recommendation 3.\n    OIG Report No. 03-02, Recommendations 1, 2, 3 and 4.\n10\n     OIG Report No. 07-08, Recommendation 2.\n\n\n\n                                                 8\n\x0cyear\xe2\x80\x99s certification and accreditation process; however, no documentation was made\navailable for our review.\n\nInadequate testing and evaluation weakens the security program as a whole. As a\nresult, the RRB cannot ensure the confidentiality, integrity, or availability of agency\ninformation.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\nTesting and Evaluation of Contractor Operations\n\nThe RRB\xe2\x80\x99s tests and evaluations are not comprehensive with respect to contractor\noperations.\n\nFISMA requires agencies to provide \xe2\x80\x9cinformation security protections \xe2\x80\xa6 of (i)\ninformation collected or maintained by or on behalf of an agency; and (ii) information\nsystems used or operated by an agency or by a contractor of an agency or other\norganization on behalf of an agency\xe2\x80\xa6.\xe2\x80\x9d Additionally, each agency shall \xe2\x80\x9cdevelop,\ndocument, and implement an agencywide information security program \xe2\x80\xa6 to provide\ninformation security for the information and information systems that support the\noperations and assets of the agency, including those provided or managed by\nanother agency, contractor, or other source\xe2\x80\xa6.\xe2\x80\x9d\n\nOMB M-08-21, \xe2\x80\x9cFY 2008 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management,\xe2\x80\x9d states that each agency must\nensure their contractors abide by FISMA requirements. Additionally, agencies \xe2\x80\x9care\nfully responsible and accountable for ensuring all FISMA and related policy\nrequirements are implemented and reviewed and such must be included in the terms\nof the contract. Agencies must ensure identical, not \xe2\x80\x98equivalent,\xe2\x80\x99 security\nprocedures.\xe2\x80\x9d\n\nIn FY 2005 we reported that the agency did not have formal policies and procedures\nfor the review of contractor operations and recommended that BIS develop the\npolicies and procedures in accordance with NIST guidance. That recommendation\nwas closed as implemented on July 5, 2007, when BIS published instructions on\nhow to perform and document information security site assessments. These\ninstructions are published in the RRB Information Systems Security Policy,\nStandards and Guidelines Handbook.\n\nAlthough the RRB has implemented a policy to perform and document information\nsecurity site assessments, they have not developed a comprehensive plan to\naccomplish testing and evaluation of all of the RRB\xe2\x80\x99s contractor operations. We\n\n\n\n                                           9\n\x0chave observed that while some program managers are taking action to perform site\nassessments, others have not.\n\nInadequate testing and evaluation of contractor operations weakens the security\nprogram as a whole. As a result, the RRB cannot ensure the confidentiality,\nintegrity, or availability of agency information processed by contractors.\n\nRecommendation\n\n     3. We recommend that the Bureau of Information Services develop a\n        comprehensive plan for the testing and evaluation of the agency\xe2\x80\x99s contractor\n        operations.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services advises that this recommendation is under\nconsideration pending legal counsel to verify which agency contracts should be\nconsidered for certification and accreditation as information systems in compliance\nwith FISMA requirements. They will advise the Office of Inspector General of their\ndecision regarding concurrence or non-concurrence after guidance is provided.\n\n\nPolicies and Procedures\n\nThe RRB continues to need improvement in implementing risk-based policies and\nprocedures that are comprehensive and effective in all areas of the agency\xe2\x80\x99s\ninformation security and privacy programs.\n\nFISMA requires that agencies include risk-based policies and procedures that\nreduce risks to an acceptable level and ensure that information security (which\nincludes the confidentiality, integrity, and availability of information) is addressed\nthroughout the life cycle of each information system.\n\nDuring FY 2007, we conducted several reviews which disclosed the need for\nadditional policies, procedures and practices to address information security and\nprivacy weaknesses for overall improvement in the agency\xe2\x80\x99s information security\nand privacy programs. 11 Those recommendations are pending corrective action.\n\nDuring our FY 2008 review of the agency\xe2\x80\x99s security awareness and training program\nwe identified a temporary employee in an RRB field office, for which no signed\n11\n  OIG Report No. 07-02, Recommendations 2, 3 and 4.\n OIG Memorandum No. 07-02m, Recommendation 1.\n OIG Report No. 07-04, Recommendations 1, 2, 3, 4, 5 and 6.\n OIG Report No. 07-06, Recommendations 1, 2, 3, 5, 6, 7, 8, 10, 13, 14, 15 and 16.\n OIG Report No. 07-07, Recommendations 2 and 4.\n OIG Report No. 07-09, Recommendations 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18,\n20, 21, and 22.\n\n\n                                                 10\n\x0cComputer Access Authorization Request had been submitted to headquarters. The\nComputer Access Authorization Request includes the employee\xe2\x80\x99s signed\nacknowledgement of the expected rules and behaviors associated with computer\naccess. The form also provides the employee with notice of penalties should\nviolation of the rules and behaviors occur. These forms are maintained by BIS to\nsupport access control. Temporary employees are hired by the RRB through local\nemployment agencies on an as needed basis for short periods of time when\nworkloads are high. Information for these employees is not maintained in the RRB\xe2\x80\x99s\npersonnel and payroll systems.\n\nWe found that BIS has not developed any controls to ensure timely submission of\nthe authorization requests from field offices. As a result, there is a risk that the\nauthorization request may not be obtained from the field office employee or be\navailable to agency management, if the signed acknowledgement of the expected\nrules and behaviors is needed.\n\nRecommendation\n\n   4. We recommend that the Bureau of Information Services develop controls to\n      ensure Computer Access Authorization Requests are received from field\n      offices in a timely manner.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs with the recommendation and advises\nthey are developing controls to ensure Computer Access Authorization Requests are\nreceived from field offices in a timely manner.\n\n\nTraining\n\nThe RRB has met the FISMA requirement for information security training for\nemployees and contractors, but needs improvement to ensure that temporary\nemployees are included in the training program.\n\nFISMA requires agencies to provide security awareness training to employees,\ncontractors, and other users of information systems. In addition to security\nawareness training, agencies are required to provide appropriate training on\ninformation security to personnel with significant security responsibilities. The RRB\nhas developed a security awareness training pamphlet, RRB Form G-15, which\nprovides an overview of the RRB\xe2\x80\x99s policies and procedures for information security.\nPersonnel are required to sign Form G-15a to acknowledge that they have read and\nunderstand this pamphlet. Annual refresher training may or may not consist of\nreviewing this pamphlet, as other areas of concentration may be desired by agency\nmanagement.\n\n\n\n\n                                          11\n\x0cOur review of the agency\xe2\x80\x99s security awareness and training program disclosed that\nthe RRB did not provide security awareness training to all temporary employees\nbecause the field offices were not instructed to ensure such training. We also\nobserved that the training records maintained by BIS inaccurately categorized some\ntemporary employees as regular employees when the field office provided the\nsecurity awareness training. In those instances, the field office provided the training\nto all field office employees, regardless of employment status.\n\nSecurity awareness training informs users of their duties and responsibilities in\ncomplying with agency policies and procedures to reduce risks associated with\ninformation security. Untrained temporary employees pose additional risks because\ntheir corporate culture may not be aligned with agency policy, procedures, and rules\nof behavior.\n\nRecommendation\n\n   5. We recommend that the Bureau of Information Services develop controls to\n      identify temporary employees and ensure that each temporary employee is\n      provided with security awareness training when the temporary employee is\n      hired.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs with the recommendation and advises\nthey are developing improved procedures to ensure that all employees and\ncontractors are provided with security awareness training when hired.\n\n\nSecurity Plans\n\nThe RRB has responded to the requirement for system security plans; however,\nmore work is needed to ensure all plans are completed in accordance with NIST\nguidance.\n\nFISMA requires that agencies maintain subordinate plans for providing adequate\ninformation security for networks, facilities, and systems or groups of information\nsystems. System security plans document this information. The RRB\xe2\x80\x99s\nAdministrative Circular IRM-7, \xe2\x80\x9cSecurity Plans for Information Technology Systems,\xe2\x80\x9d\nrequires system security plans to be updated every two years using guidance\nestablished by NIST SP 800-18, \xe2\x80\x9cGuide for Developing Security Plans for Federal\nInformation Systems.\xe2\x80\x9d\n\nDuring FYs 2007 and 2008, the agency contracted with technical specialists to assist\nin the certification and accreditation of the RRB\xe2\x80\x99s two general support systems and\nfive of the six major applications, including the completion of updated system\nsecurity plans in accordance with NIST guidance. As of August 2008, only the\n\n\n\n                                          12\n\x0cLAN/PC general support system security plan was finalized. Draft system security\nplans have been prepared for most of the other information systems under contract\nfor certification and accreditation. Since the Financial Management system was not\nincluded in the contract, no updated system security plan was prepared by the\ncontractor for that system.\n\nWhen we advised the RRB in July 2008 that the Financial Management major\napplication\xe2\x80\x99s system security plan was out-of-date, the RRB took action to update\nthat plan. However, they did not prepare the updated plan in accordance with NIST\nguidance. NIST guidance requires a description of the individual security controls in\nplace or planned for the information system, as well as the identification of any\ncommon controls that are not system specific.\n\nOur review of the LAN/PC system security plan showed that the contractor also did\nnot complete the plan in accordance with NIST guidance. We noted that the system\nsecurity plan contained inaccurate or missing information for system environment,\nwireless and mobile device accesses, system interconnections, and the identification\nof common controls. We also noted that the system security plan document did not\ncontain completion or approval dates. We attribute these weaknesses to an\nineffective review process of contractor deliverables performed by BIS.\n\nIncomplete or inaccurate system security plans undermine the information security\nprogram as a whole.\n\nRecommendations\n\n   6. We recommend that the Bureau of Fiscal Operations prepare an updated\n      system security plan in accordance with NIST guidance.\n\n   7. We recommend that the Bureau of Information Services review and update\n      the LAN/PC system security plan to address the inaccurate or missing\n      information.\n\nManagement\xe2\x80\x99s Responses\n\nThe Bureau of Fiscal Operations has agreed to request funding for a certification\nand accreditation of the Financial Management major application, and hopes to\nutilize the existing contract the agency has in place for the other agency systems.\n\nThe Bureau of Information Services concurs with the recommendation and will\nreview the system security plan that was provided during the certification and\naccreditation process.\n\n\n\n\n                                          13\n\x0cRemedial Action Process\n\nThe RRB\xe2\x80\x99s remedial action process continues to be ineffective in identifying and\nprioritizing all weaknesses in the agency\xe2\x80\x99s information security and privacy\nprograms.\n\nFISMA requires Federal agencies to maintain a process for planning, implementing,\nevaluating, and documenting remedial action to address any deficiencies in the\ninformation security policies, procedures, and practices of the agency. OMB\nrequires agencies to develop a formal POAM to identify vulnerabilities in information\nsecurity and privacy, and to track the progress of corrective action. Each year, OMB\nrequires the OIG to assess the agency\xe2\x80\x99s POAM as part of the FISMA reporting\nprocess.\n\nThe OIG first criticized the RRB\xe2\x80\x99s POAM in FY 2003 as ineffective in articulating\nweaknesses and planning corrective actions, and recommended the RRB review\nand revise the POAM to include the items that were missing. The RRB rejected that\nrecommendation. 12 In FY 2005, we again reported that the existing POAM was not\ncomprehensive with respect to identifying weaknesses, and provided inadequate\nprioritization of agency plans and efforts to correct the weaknesses found. In\nFY 2007, we also reported that the agency was not preparing action plans for their\nprivacy-related weaknesses and those weaknesses were not being incorporated into\nthe existing POAM. We made recommendations to address these issues. 13\n\nDuring FYs 2007 and 2008, the agency contracted with technical specialists to assist\nin the certification and accreditation of the RRB\xe2\x80\x99s two general support systems and\nfive of the six major applications. The contract includes the preparation of individual\nPOAMs for each system. As of August 2008, only the LAN/PC general support\nsystem has been fully certified and accredited. Certification and accreditation of the\nmainframe general support system and five major applications are currently in\nprogress.\n\nOur current assessment of the existing POAM shows that the agency has not\nprepared an \xe2\x80\x9cagency-wide\xe2\x80\x9d POAM, nor has the POAM developed during the LAN/PC\ncertification and accreditation been kept up-to-date. On July 2, 2008, we were\nprovided a copy of the POAM developed for the LAN/PC general support system\nwhich had not been updated since November 30, 2007. This POAM did not reflect\nany entries to support actions the agency claims to have taken to address the\nsecurity weaknesses. Additionally, this POAM did not incorporate all of the\nweaknesses identified in the risk assessment process. For example, we observed\n\n\n12\n     OIG Report No. 03-11, Recommendation 1.\n13\n     OIG Report No. 05-11, Recommendation 3.\n     OIG Report No. 07-06, Recommendation 15.\n\n\n\n                                                14\n\x0cthat the risk assessment identified a weakness concerning modem usage, while the\nPOAM omitted that weakness altogether. 14\n\nAs a result, agency efforts to date have been insufficient in correcting POAM\ndeficiencies, and it is not being used as the management tool OMB intended for\nidentifying vulnerabilities and monitoring agency corrective actions.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\nIncident Handling and Reporting\n\nThe RRB\xe2\x80\x99s incident handling and reporting program is generally effective in ensuring\nthe confidentiality, integrity, and availability of the agency\xe2\x80\x99s information and\ninformation technology.\n\nFISMA mandates that Federal agencies develop, document, and implement\nprocedures for detecting, reporting, and responding to security incidents as part of\nits agency-wide information security program.\n\nIn FY 2006, the OIG performed a detailed review of the RRB\xe2\x80\x99s incident handling and\nreporting program and found that agency\xe2\x80\x99s overall efforts were sufficient to meet the\nrequirements established by FISMA. We did, however, recommend some areas\nwhere program management could be improved. 15 Our reviews performed in\nFYs 2007 and 2008 did not disclose any additional weaknesses.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\nContinuity of Operations\n\nThe RRB has developed a continuity of operations plan that generally meets FISMA\nrequirements, but some improvements can be made.\n\n\n\n\n14\n     We discuss this weakness in further detail in the report section entitled \xe2\x80\x9cInventory of Systems.\xe2\x80\x9d\n15\n     OIG Report No. 06-09, Recommendations 1, 2, 3, 4, 7, 8, 9 and 10.\n\n\n\n                                                     15\n\x0cFISMA requires Federal agencies to implement plans and procedures to ensure\ncontinuity of operations for information systems that support the operations and\nassets of the agency.\n\nHistorically, the RRB has provided for semi-annual off-site recovery testing of the\ntwo general support systems and the mainframe databases of its major application\nsystems. The RRB generally also tests some of the major application batch\nprocesses, and LAN connectivity. As a result, the agency\xe2\x80\x99s disaster recovery plan\nprovides assurance that most of the agency\xe2\x80\x99s major information technology functions\nwould be operational in the event of a disaster. However, the agency has not yet\nensured that the disaster recovery training plan is followed, data packs containing\nsensitive information are cleared before leaving the test site, or that each major\napplication system is scheduled for off-site testing. 16\n\nIn FY 2007, we reported that the agency had never performed off-site testing of the\nFinancial Interchange major application and that the Financial Management major\napplication had not been tested since FY 2002. In March 2008, the agency\nperformed off-site testing of the Financial Management major application. The RRB\nalso advised us that they expect to include the Financial Interchange major\napplication in their off-site testing in September 2008.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\nInventory of Systems\n\nThe RRB has generally complied with FISMA requirements to identify major and\ncomponent applications, but continues to need improvement in establishing a\nreliable fixed asset inventory of information technology equipment.\n\nFISMA requires that each agency develop, maintain, and annually update their\ninventory of major information systems. This inventory is to include an identification\nof the interfaces between each system and all other systems or networks, including\nthose not operated by, or under the control of, the agency.\n\nOur review showed that while the agency has made progress in updating their\ninventory of component applications and server locations, work remains to be\ncompleted to identify the component system\xe2\x80\x99s responsible official when security\nadministration is decentralized. 17 Additionally, in FY 2007 we recommended that the\n\n16\n     OIG Report No. 06-08, Recommendation 5.\n     OIG Report No. 07-08, Recommendations 5 and 6.\n17\n     OIG Report No. 05-08, Recommendation 3.\n\n\n                                               16\n\x0cRRB perform a physical inventory of information technology hardware and update\nthe agency\xe2\x80\x99s official fixed asset inventory system. 18 That recommendation is\ncurrently pending corrective action.\n\nDuring our review of the risk assessment prepared for the LAN/PC certification and\naccreditation, we noted a weakness had been reported concerning modem usage\nwhile the POAM omitted that weakness altogether. We obtained the results of a\nmodem study performed by BIS between May and August 2008, and observed data\ndiscrepancies between the listing of modems identified in that study and the\ninventory of modems in the agency\xe2\x80\x99s fixed asset inventory system. Additionally, we\nobserved that some employees listed in the study continue to have a modem in their\nworkstation, even though they stated they no longer require the modem for their job\nfunctions. We noted that some, but not all, modems used by the agency are\nconfigured to access only other Federal agencies in a secure manner. We also\nnoted that some modems are not secure, and pose additional threats to the\nagency\xe2\x80\x99s network.\n\nRecommendation\n\n      8. We recommend that the Bureau of Information Services continue their efforts\n         to identify each agency modem, address data discrepancies between their\n         study and the fixed asset inventory system, and implement controls to ensure\n         adequate protection of the RRB network.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs with the recommendation and states\nthat the ongoing modem study project is intended to identify agency modems,\naddress data discrepancies regarding modems in the fixed asset inventory system\nand assess RRB network modem controls.\n\n\n\n\n18\n     OIG Report No. 07-08, Recommendation 7.\n\n\n                                               17\n\x0c                                                                             Appendix I\n\n                       UNITED STATES GOVERNMENT\t                                          FORM C-1I5f II-m\n                                                                         RAILROAD RETIREMENT BOARD\n                      MEMORANDUM\n                                                                          SEP 2\xc2\xb74 ZOOS\n     TO        ..   Letty B. Jay\n\n                    Assistant Inspector General for Audit\n\n\n\n     FROM       :   John M. Walter    ~~. #tV~\n\n                    Chief of Accounting, Treasury, and Financial Systems, . ; . / . \n\n                    THROUGH: Kenneth P. Boehne            .-?/ ~ / ~ \n\n                                 Chief Financial Officer ~ ~....\n\n\n\n     SUBJECT:\t Fiscal Year 2008 Evaluation of Information Security\n\n               at the Railroad Retirement Board\n\n\n\n\n     The draft report, "Fiscal Year 2008 Evaluation of Information Security at the Railroad\n     Retirement Board," included the following recommendations for BFO:\n\n          1.\t We recommend that the Bureau of Fiscal Operations ensure that a formal,\n              NIST compliant, certification and accreditation of the Financial\n              Management major application is performed.\n\n          6.\t We recommend that the Bureau of Fiscal Operations prepare an updated\n              system security plan in accordance with NIST guidance.\n\n     BFO requested fiscal year 2008 funding to initiate the effort to modernize its financial\n     management system. Specifically, the funding was to have a contractor assist RRB\n     management in planning a timeline for modernizing its financial management system,\n     conducting an assessment of the RRB\'s core financial management system (FFS) to\n     determine whether performance gap(s) exist or can be anticipated between its overall\n     financial management strategy and its current financial solution. When evaluating a\n     performance gap, the contractor is to consider Financial Systems Integration Office\n     requirements, internal audit standards and statutory requirements, the agency\'s\n     enterprise financial management system, and its business architecture. Due to budget\n     constraints, funding was not available in fiscal year 2008 for this contract.\n\n     We have requested funding for a Certification and Accreditation (C&A) of the Financial\n     Management major application. Hopefully, the funding will be available to utilize the\n     existing contract the agency has in place for completing C&A\'s for the other agency\n\\.   systems.\n\n\n\n\n                                               18\n\x0c                                                  Appendix I\n                                        2\n\n\n\ncc:\t   Terri Morgan, Chief Information Officer\n       Robert Piech, Chief Security Officer\n       Kris Garmager, Financial Systems Manager\n       Mike Zulevic, IT Specialist\n       William Flynn, Executive Assistant\n       Jill Roellig, Management Analyst\n\n\n\n\n                                       19\n\n\x0c                                                                    Appendix II\n                                                                                  FORM G-1151 11\xc2\xb712)\n                 UNI\'rED STA\'I\'Io:S GOVEHNMF;NT\n                                                                RAILROAD RETIREMI4;N\'I\' BOARI>\n                 MEMORANDUM\n\n\n\n                                                            September 30, 2008\n\nTO           Letty Benjamin Jay\n             Assistant Inspector General, Audit\n\nFROM         Terri Morgan                 _1 ,       A\n             Chief Information Officer   ()(fJ/IN   j) .\n\nSUBJECT:     Draft Report - Fiscal Year 2008 Evaluation of Information Security at the\n             Railroad Retirement Board\n\n\nWe have reviewed the subject report and provide you with the following responses to\nthe Bureau of Information Services recommendations included in the report.\n\nRecommendation 2\nWe recommend that the Bureau of Information Services review and update the LAN/PC\ngeneral support system\'s risk assessment to accurately reflect the current RRB system\nenvironment and control analysis.\n\nBIS Response\nWe concur with the recommendation. There is already a system risk assessment\nprocess existing that should be updated. Once we have a document that accurately\nreflects the current RRB system environment, we can adjust our risk assessment plans\nto compliment the current environment. An accurate map of our environment has to be\nprovided by the engineers in order to accomplish this recommendation. This should be\ncompleted by September 30,2009.\n\nRecommendation 3\nWe recommend that the Bureau of Information Services develop a comprehensive plan\nfor the testing and evaluation of the agency\'s contractor operations.\n\nBIS Response\nThis recommendation is under consideration. We are seeking legal counsel on this\nissue to verify which agency contracts should be considered for certification and\naccreditation as information systems in compliance with FISMA requirements. We will\nadvise the OIG of our decision regarding concurrence or non-concurrence after\nguidance is provided.\n\nRecommendation 4\nWe recommend that the Bureau of Information Services develop controls to ensure\nComputer Access Authorization Requests are received from field offices in a timely\nmanner.\n\n\n                                           20\n\x0c                                                                   Appendix II\n\n\n\nBIS Response\nWe concur with the recommendation. We are developing procedures to ensure that\nComputer Access Authorization Requests are received from field offices in a timely\nmanner. The process improvement will be implemented by October 31,2008.\n\nRecommendation 5\nWe recommend that the Bureau of Information Services develop controls to identify\ntemporary employees and ensure that each temporary employee is provided with\nsecurity awareness training when the temporary employee is hired.\n\nBIS Response\nWe concur with the recommendation. We are developing improved procedures to\nensure that all employees and contractors are provided with security awareness training\nwhen hired. The new procedures will be implemented by November 21,2008.\n\nRecommendation 7\nWe recommend that the Bureau of Information Services review and update the LAN/PC\nsystem security plan to address the inaccurate or missing information.\n\nBIS Response\nWe concur with the recommendation. The System Security Plan (SSP) provided to the\nAgency by DSD during the C&A process (Aug-2007) will be reviewed and completed by\nDecember 31, 2008.\n\nRecommendation 8\nWe recommend that the Bureau of Information Services continue their efforts to identify\neach agency modem, address data discrepancies between their study and the fixed\nasset inventory system, and implement controls to ensure adequate protection of the\nRRB network.\n\nBIS Response\nWe concur with the recommendation. The ongoing modem study project is intended to\nidentify agency modems, address data discrepancies regarding modems in the fixed\nasset inventory system and assess RRB network modem controls by March 30, 2009.\n\n\n\n\n                                          21\n\n\x0c'